[Federation] Resolve response, federation historical keys response: Clarify the JWT must be typed
Spec link: https://openid.net/specs/openid-connect-federation-1_0.html#name-resolve-response
A successful response MUST use the HTTP status code 200 and the content type set to
application/resolve-response+jwt
, containing resolved metadata and verified Trust Marks.
There is no explicit normative language that the JWT must be typed.
Comments (8)
-
reporter -
reporter - changed title to [Federation] Resolve response: Clarify the JWT must be typed
-
@Vlad do we have to say
”A successful response MUST use the HTTP status code 200 and MUST set the content type to
application/resolve-response+jwt
”? -
reporter Let’s reuse this:
https://openid.net/specs/openid-connect-federation-1_0.html#section-5.3
Trust Mark JWTs MUST be explicitly typed by setting the
typ
header parameter totrust-mark+jwt
. This is done to prevent cross-JWT confusion (see [RFC8725], section 3.11).→
Resolve response JWTs MUST be explicitly typed by setting the
typ
header parameter toresolve-response+jwt
. This is done to prevent cross-JWT confusion (see [RFC8725], section 3.11).
I now discovered that for the historical endpoint JWT we’ll also need to say that it must be explicitly typed. This is obvious to us now, but readers won’t know it :-) https://openid.net/specs/openid-connect-federation-1_0.html#section-7.5.2
-
reporter - changed title to [Federation] Resolve response, federation historical keys response: Clarify the JWT must be typed
-
Resolved by this PR
https://bitbucket.org/openid/connect/pull-requests/470 -
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
Closed as already resolved
- Log in to comment
A developer working with the spec has argued that the JWT must not be typed, so this is something we’ll need to fix.
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/416/openid-connect-federation-10-requred